Configuring LAPS (Part 2)- Configuring and Deploying Group Policy

This post is the second part of a two-part series on configuring and deploying the Microsoft Local Administrator Password Solution (LAPS). The first post covered the steps needed to configure Active Directory to support LAPS. That post can be found here . This post will cover the steps needed to enable the LAPS functionally on devices.

(Required) Deploy the LAPS Group Policy Client-Side Extension

LAPS is enabled and configured on devices using Group Policy. However, devices do not natively know about the LAPS settings. To have the Group Policy apply correctly, a Group Policy Client-Side Extension (CSE) needs to first be deployed to devices. There are many ways to get the CSE installed on devices. This example will cover how to deploy the CSE using Microsoft Configuration Manager.

Deploy the LAPS Application

Right click on the LAPS application that was created in the previous section and select Deploy

On the Deploy Software Wizard window, use the Browse button to select a collection of devices to deploy this application to, then click Next

On the Content screen, click Next

On the Deployment Settings screen, choose weather you want to application to be Available (Optional to install through the Software Center) or Required (Automatically installed), then click Next

On the Scheduling screen, select when the application will be installed on devices, then click Next

On the User Experience screen, select how the application should appear in the software center and weather or not the application should respect any existing maintenance windows, then click Next

On the Alerts screen, optionally configure deployment alerting, then click Next

On the Summary screen, click Next

On the Completion screen, click Close

(Required) Configure Group Policy to Deploy LAPS Settings

Group Policy is used to configure LAPS settings and to enable the LAPS functionally on targeted devices. The LAPS settings can be added to an existing group policy object, however in this example, a new group policy object will be created to deploy the settings.

Install the LAPS Group Policy Administrative Template

Group policy does not natively know about the LAPS settings. The settings need to be pulled from an administrative template.

Log onto the computer where the LAPS management utilities were installed

If the management utilities need to be re-installed, see the first section of the first part of this series for instructions on doing so (LINK)

Open a file explorer window and navigate to C:\Windows\PolicyDefinitions

Copy the admx file found in the root of the directory and the AdmPwd.adml file found in the en-US subdirectory

Paste the files in the group policy central store

The group policy central store is located at \\domain.fqdn\SYSVOL\domain.fqdn\Policies\PolicyDefinitions

Enable local admin password management – This setting is required for LAPS to work. This setting tells the device to randomize its local administrator password

Password Settings – This setting is required for LAPS to work. This setting tells the device what complexity requirements the random password should adhere to. It also tells the device how long the password should be and how often the password should change.

Do not allow password expiration time longer than required by policy – This setting is optional but recommended. If this setting is not set, the password expiration time on a device could manually be set to be longer than the expiration period specified in the Password Settings setting.

Name of administrator account to manage – This setting is optional. By default, LAPS will manage the password of the built-in local administrator account. If this setting is enabled, an account other than the built-in administrator account can be managed.

Once the settings have been configured, close the group policy management editor window

In the group policy management console, right click on the OU that the policy will be applied to and select Link an Existing GPO

Select the group policy object that was just created and click OK

Looking up and Resetting Passwords

Now that AD has been configured, the Group Policy Client-Side Extension has been deployed, and the Group Policy Object has been created, LAPS should be functioning on devices. There are two ways to look up passwords for devices, from the properties of the computer object in Active Directory or using the LAPS GUI utility.